Supervised by: Tuscany Parkin BA LLB (Rhodes) BCL (Oxon). Tuscany graduated with the BCL Masters of Law from the University of Oxford earlier this year, specialising in Jurisprudence, Competition Law and Comparative Contract Law. She is currently reading for the MPhil in Legal Philosophy (particularly the philosophy of contract law). Previously, she obtained her BA in English Literature and LLB Law with honours from Rhodes University.
How does the implementation of surveillance protocols during the COVID-19 pandemic affect the privacy of the people and the overall effectiveness of the management of countries under common law jurisdictions?
The Coronavirus Disease 2019 (COVID-19) has rapidly escalated into a global health crisis ever since its outbreak at the end of 2019, prompting the World Health Organisation to characterise it as a pandemic in March 2020. At the time of writing in August 2021, it has infected 200 million people and cost the lives of 4 million people worldwide, with numbers increasing due to the emergence of variants in various countries. In their fight against the pandemic, governments around the world have resorted to unorthodox technological measures, including surveillance technologies such as contract tracing and exposure notifications apps.
Privacy in Common Law
Privacy law is the body of law that regulates the processing of personal information, including personal healthcare information and financial information. (1) The Universal Declaration of Human Rights states that everyone has the right to privacy. There is currently a freestanding right to privacy in common law. An invasion of privacy is a tort based in common law consisting of four distinct causes of action:
- Appropriation of Name or Likeness: Involves an unauthorised use of a person’s name, likeness or identity, causing an injury to the person
- Intrusion Upon Seclusion: Involves an intrusion into a person’s private affairs, where the intrusion is considered objectionable to a reasonable person
- False Light: involves the public disclosure of misleading and damaging information about a person
- Public Disclosure of Private Facts: Involves details of a person’s private life becoming public information (2)
Contact Tracing in COVID-19
Contact tracing apps and systems are the main tool used by many governments to identify close contacts and confirmed cases of COVID-19. The use of contact tracing, along with other surveillance protocols, has been crucial in assisting governments in controlling the transmission of COVID-19. Most of these contact tracing apps use geographical location tracking on its users, raising privacy concerns.
Such uses of data may threaten fundamental human rights and liberties, and private companies may also be able to capture the data through different methods for their own personal gain. Data protection and privacy laws are important as they provide a legal basis for limitations on data collection.
The popularised use of these technologies in multiple countries has raised personal data privacy concerns amongst citizens. Data privacy is undoubtedly an important right, however, to what extent is this right protected in a time of crisis, where such information may be crucial in fighting the virus? This paper compares the use of these surveillance protocols in three common law jurisdictions – Hong Kong, New Zealand and Singapore. In doing so, it explores whether such jurisdictions violate their own local privacy laws, as well as examining the overall effectiveness of these protocols.
Hong Kong is a special administrative region of the People’s Republic of China. Due to previously being a British colony, Hong Kong operates under a separate governing, legal and economic system from that of mainland China, under the principle of ‘one country, two systems’. The law of Hong Kong has the foundation of the English common law system, with its constitutional framework provided by Hong Kong Basic Law, which came into effect after the handover in 1997. The Hong Kong Basic Law sets out the status of Hong Kong as a special administrative region of China. (3)
The Coronavirus Pandemic in Hong Kong
The first cases of the coronavirus in Hong Kong emerged in January 2020, (4) and the disease has spread rapidly since, with 11,950 confirmed cases and 212 deaths at the time of writing. After the implementation of stringent government protocols, such as border restrictions, mandatory quarantine, social distancing, masks, and the vaccine rollout, numbers of confirmed cases in Hong Kong have gone down significantly, with a weekly average of 3 cases as of August 2021. (5)
Data Privacy Law in Hong Kong
The Personal Data (Privacy) Ordinance (PDPO) regulates the collection and handling of personal data in Hong Kong. The six Data Protection Principles (DPPs) in the PDPO ensures the lawful and fair collection of data. The six principles of the ordinance are as follows, this will be seen relevant during the application of these principles in the data-led measures implemented by the Hong Kong government:
- DDP 1 – Purpose and Manner of Collection: Personal data should only be collected for a lawful purpose directly related to the activity of the user. Subjects should be informed whether or not it is obligatory to supply the data. They also have the right to correct and access the data.
- DDP 2 – Accuracy and Duration of Retention: Data users should ensure that all data is accurate and data no longer required for the purpose for which it was collected should be erased, unless prohibited by law.
- DDP 3 – Use of Data: The use of personal data for any purpose other than its original purpose is prohibited, unless the subject has expressed consent.
- DDP 4 – Data Security: Data users should take all practicable steps to protect personal data from being accessed accidentally or without authorisation.
- DDP 5 – Openness and Transparency: Data users should ensure openness in their policies and practises regarding personal data.
- DDP 6 – Access and Correction: Data subjects have the right to request access to and correction of their own personal data, but data users do have the right to refuse that request with reasoning. (6)
The PDPO provides a few exemptions under particular circumstances. Section 59 of the PDPO provides grounds of exemption to safeguard the health of data subjects. In particular, under section 59(2) of the PDPO, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject for the need to protect public health. Section 60B of the PDPO also allows personal data to be exempted from the provisions of data protection if the use of the data is required or authorised by or under any enactment, by any rule of law or by an order of a court in Hong Kong. (7)
Due to the severity of the coronavirus pandemic, the Hong Kong government has implemented several data-led measures to help reduce the impact of the pandemic. Below is a brief summary of some of the measures and protocols used by the Hong Kong government that involve the collection of personal data.
The ‘LeaveHomeSafe’ app was launched in November 2020 to help citizens of Hong Kong record their visits to public places, such as restaurants and stores ,by scanning a QR code unique to the venue. Their visitation records are recorded on the app and they are notified if they have visited the same venue as someone who has been recently infected. (8)
Electronic wristbands and StayHomeSafe app
Anyone subject to compulsory home quarantine in Hong Kong is required to wear an electronic tracker wristband that alerts the authorities if the wearer violates their home quarantine. Those with the wristband are required to download the ‘StayHomeSafe’ app and link the wristband with the app. The technology used in the wristband and app is called geofencing technology, which is different from GPS location tracking as it analyses environmental communication signals, such as Wi-Fi and Bluetooth. (9)
The Hong Kong Government has created an online dashboard platform of the map of Hong Kong with lists of buildings and venues that people with confirmed infection cases have visited. The dashboard also lists out the gender and the age of patients infected with the coronavirus and their current health status.
The Hong Kong government’s mass coronavirus testing scheme caused major concerns amongst the citizens of Hong Kong due to the privacy implications of the tests. Many thought that the testing team from mainland China was sent to obtain DNA from residents for surveillance purposes, helping mainland China build its DNA database for biometric surveillance, causing concerns amongst human rights activists. These theories were fueled by the fact that one of the contractors conducting the coronavirus testing – the BGI Group – has a subsidiary blacklisted by the US government for taking DNA from Uyghurs in Xinjiang. These theories could also be attributed to the pre-existing mistrust some Hong Kong citizens have of the mainland Chinese government due to recent political tensions.
According to the Privacy Commissioner of Hong Kong, Stephan Kai-yi Wong, there are sufficient legal and justifiable bases that allow the government to collect and use information to track potential COVID-19 carriers or patients in the interest of both the public and the individuals concerned.
The exception to the general rule of the privacy law, section 59 of the PDPO, provides for the situations where the use of personal data may be exempted from the application of DPP 3 (use of data) if it relates to safeguarding the physical or mental health concerns of the data subject or any other individual in the interests of the public. In other words, any breach of the general rule on the use of data without consent may be saved by the fact that the misuse arises from the need to protect public health.
In particular, section 59(2) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject. (10)
Even though these data-led measures do not violate the privacy laws in Hong Kong, the question remains as to whether these measures, particularly the contact tracing app LeaveHomeSafe, are even effective in combating COVID-19 at all. Ignoring concerns regarding privacy, the effectiveness and efficiency of the app is doubted by many.
The effectiveness of these apps relies on the self-discipline of the users. Citizens of Hong Kong can opt out of using the app by writing down their personal information on a slip of paper when they enter a venue rather than actually using the app, meaning it is unknown whether they are even putting down their actual details or not. The app sends notifications to users if their visitation records match someone that has been infected with the coronavirus, but it cannot force the recipient to seek medical help and report symptoms truthfully since a positive COVID-19 test carries a stigma in Hong Kong, reducing the overall effectiveness of the app. In addition, the distrust in the government due to political tensions in Hong Kong definitely doesn’t help with the scepticism surrounding these measures.
The use of the other data-led measures, such as the online database of cases and the StayHomeSafe app, can be argued to be more useful than the LeaveHomeSafe app. The online database provides insight into areas in Hong Kong that have a high concentration of cases and the StayHomeSafe app and electronic wristbands dissuade people from violating their home quarantines and potentially spreading the virus, as authorities are alerted if they do.
The reduction in the number of coronavirus cases in Hong Kong over the past few months (at the time of writing) therefore cannot be attributed to the use of these data-led measures, as it is most likely due to other factors such as the introduction of mandatory testing and quarantine, and the vaccine.
New Zealand is a constitutional monarchy – Queen Elizabeth II of the United Kingdom is the formal figurehead – with a parliamentary system, even though their constitution is not codified. Similarly to Hong Kong, New Zealand was a former colony of the British Empire, however its status as a dominion within the British Empire was established in 1907. Due to this strong relation and influence, New Zealand follows a Common Law System. New Zealand is a parliamentary democracy with a unitary government. It lacks a comprehensive written or ultimate constitution, but constitutional rules are found in a range of documents and other sources, including a skeletal constitutional statute and a handful of key legislations.
The Coronavirus Pandemic in New Zealand
The first cases of COVID-19 in New Zealand were confirmed on 28 February 2020. The total number of cases since the first confirmed case is 2,558 at the time of writing. As of 13 August, there are 44 active confirmed cases in the country. New Zealand rapidly took precautionary measures, such as border closure on 3 February (the day after the first death due to COVID-19 outside China was confirmed) and early lockdowns. These, paired with effective communication and public compliance since the outbreak, resulted in a quick return to life without lockdowns in New Zealand.
Data Privacy Law in New Zealand
New Zealand’s Privacy Act 2020 came into play on 1 December 2020 – almost an entire year after the first coronavirus case was announced in China – and replaced the Privacy Act 1993. The 13 NZ Privacy Principles in New Zealand’s Privacy Act 2020 govern all handling of personal information, requiring you to notice and inform users about the collection, use, and sharing of their personal information, as well as giving them the right to access and correct their data. The Privacy Commissioner enforces this. These principles apply to all organisations and websites that have access to personal information from within New Zealand. The location where the organisations are located is irrelevant otherwise.
There are a few notable changes to the Privacy Act; for example, under the ‘Good reasons for refusing access to personal information’ section, the decision to neither confirm nor deny personal information is held and the decision to refuse access to personal information are both listed. The following briefly outlines the main differences between the two acts:
- Stronger data breach security and control
- Stronger enforcement tools for the Privacy Commissioner.
- Decisions on access requests will now be made by the Privacy Commissioner and not the Human Rights Review Tribunal.
- Stronger cross-border transfer regulations
- Stronger fines for non-compliance – of up to $10,000.
- Class action lawsuits for non-compliance (11)
The gravity of the pandemic caused New Zealand to react similarly to Hong Kong regarding the innovation of new phone applications and the implementation of data-led measures to track new cases and limit infections. Below is a brief overview of some of these measures, according to the Office of the Privacy Commissioner.
The COVID Card, a formal vaccine certificate that would be used as proof that a New Zealand citizen is vaccinated in order to travel, has been proposed by the Ministry. The card would hold the citizen’s personal identifiable information. The $100m COVID Card plan, according to Privacy Commissioner John Edwards, needs more thought before being adopted as a contact tracing solution for COVID-19. This is especially because of the potential discomfort citizens could have while carrying around a hard copy of their personal information.
COVID Tracer app
The COVID Tracer app is an application created by the New Zealand Ministry of Health with the purpose of making tracking where someone has been easier. Therefore when a positive case arises, alerting contacted people becomes faster and contributes to the slowing of cases spreading. Approximately 95% of mobile phone devices and operating systems are compatible with this software, making it accessible to a significant portion of the population. It also includes other features such as personal information and regularly-updated national statistics. (12)
The proposed and implemented data-led measures have raised discomfort amongst some New Zealanders regarding the extent to which their data is being used and how private it is. The Ministry of Health has called for cool heads over these concerns and emphasised that data privacy will always be upheld.
The CovidCard, for example, has not been implemented at the time of writing and is just a proposal, according to the Office of the Privacy Commissioner. The concern arises from the fact that citizens would be required to carry a hard copy of their personal information everywhere they go. In and of itself, this does not breach any laws or clauses within the 2020 Privacy Act. This is because the purpose of this potential rule is to speed up the process to allow for more freedom of movement within and outside of New Zealand. All information on the card would already be legally made accessible to the government, therefore the CovidCard does not breach any clauses.
With the COVID Tracer App, in regards to data privacy, the Privacy Commissioner endorsed this software as it has been through independent security testing. Second, the sharing of any personal information is done by the choice of the user and only shared with the Ministry of Health to speed up the tracking process. Further, if a user is identified as a confirmed case, it is their choice to share their digital diary with the Ministry and even so, that information will not be used for enforcement purposes or shared with any other government agency. In addition to that, the app anonymises statistics to protect the privacy of each user.
Bluetooth alerts are also anonymised, therefore the individual with a confirmed or probable case of COVID-19 is not revealed, however other citizens have enough information about locations they should avoid. Finally, personal data can be manually or automatically (after a certain amount of time) deleted permanently at the user’s will, to protect their choice in what personal information can be accessed by the app. In summary, the COVID Tracer App leaves users with the choice of what information they are willing to share with the app, the government, and other citizens.
In conclusion, the protocols discussed above do not violate New Zealand’s local privacy laws and instead assure the public that personal privacy will always be maintained, and these measures were introduced in order to speed up the tracking process to eventually allow New Zealand to return to normal. In other words, the Privacy Act 2020 is maintained through these protocols.
The CovidCard is a measure that has not yet been enforced, however the potential effectiveness of this measure can be predicted and discussed. For example, having personal information easily accessible can speed up processes such as tracing and allowing for more movement. However in early March, Response Minister Chris Hipkins claimed that this technology has not added anything useful and a regular smartphone can be more productive. This suggests that effectiveness of this proposed measure is low, and also relieves stress among New Zealanders regarding the concern of potentially being required to carry a hard copy of their personal information.
The effectiveness of the COVID Tracer app is questionable, The primary issue, other than potential data-privacy concerns, is the high compliance burden placed on citizens to improve New Zealand’s coronavirus status. It relies on the honesty and participation of users. The number of users that put in data on the app has drastically fluctuated multiple times, suggesting this method is not consistent and therefore its impact on New Zealand is also inconsistent.
Although these measures may have contributed to the decrease in cases within New Zealand’s borders, it is unclear the extent to which they were effective in reducing cases. This is because of the other measures irrelevant to data privacy, for example the closing of borders since the first death outside of China due to COVID-19 was confirmed as well as the introduction and implementation of vaccines that fight against the virus. These two factors, as research shows, have helped immensely in the reduction of cases and the process of recovery. It is therefore difficult to determine how much the tracer app and other data-lead measures have actually impacted New Zealand’s current status.
The Republic of Singapore is a country in Southeast Asia. Singapore is a republic with a parliamentary system of government based on the Westminster Model, which incorporates a series of procedures for operating a legislature. Its legal system is based on the English common law system, deriving from their constitution, legislation, subsidiary legislation, and judge-made law. (13)
The Coronavirus Pandemic in Singapore
First cases of the coronavirus pandemic emerged on 23 January 2020, with clusters growing around the country. The pandemic has led to a series of lockdowns in the country. Due to high volume vaccination programmes, Singapore has become the most vaccinated country at the time of writing, with a case fatality rate of 0.27%.
Data Privacy Law in Singapore
The Personal Data Protection Act (PDPA) is the baseline protection for personal data in Singapore. It recognises the importance of the protection of personal data as well as the reasons for organisations to collect and use data under legitimate and reasonable purposes. (14)
Under the PDPA, organisations are required to obtain a person’s consent to collect, use, or disclose their personal data. Consent is not required under specific exceptions if it is clearly in the interests of the individual, in national interests, or in the legitimate interests of an organisation which outweigh any effect on the individual. Individuals are allowed to withdraw consent at any time by giving notice, with the organisation obliged to allow for this withdrawal.
The PDPA involves several data protection obligations for organisations in respect of their data activities, to help protect the rights of the individual whose data is being collected. As mentioned above, the organisation must obtain the consent of the individual before collecting and using their data. The purpose of data collection must also be reasonable and legitimate. There must also be transparency in collecting the data in which the individual is informed of the purpose of data collection. Correction and access of the personal data belonging to the individual should also be available upon request. The data collected must be accurate for the purpose of collection and secure from unauthorised access. The personal data must also be destroyed when no longer needed.
Organisations that fail to comply with the PDPA may be fined up to 10% of annual turnover or $1m. (15)
To combat the coronavirus, the Singaporean government has implemented several data-led measures.
Safe Entry is the national digital visitor registration system that helps record the information of individuals visiting different locations such as hotspots and public venues. Visitors are logged into a centralised database managed by government authorities at locations visited based on scanning their National Registration Identity Card, scanning a unique QR code to the location, or using TraceTogether devices. When one is identified as a potential close contact case or confirmed infected case, government authorities will retrieve the data from the database. (16)
The SafeEntry system can be used along TraceTogether. The TraceTogether programme is another contact tracing system implemented by the Singaporean Government. The programme takes place in two forms, an app and a physical token for those who don’t own a smartphone or do not want to use the mobile app. Both the app and token work through the exchange of Bluetooth signals between other TraceTogether devices, calculating the distance between the users and the overall duration of encounters. These records are stored locally for 25 days and are deleted after. The app had reached a 92% adoption rate as of May 2021.
In early 2021, the Singaporean government revealed that data from the TraceTogether app can be accessed by the police, going against the government’s previous promise that the data would not be accessed unless the user of the programme tests positive for COVID-19. Since the revelation, the privacy statement on TraceTogether has been modified to justify the use, stating that the Criminal Procedure Code applies to all data collected under Singapore’s jurisdiction. This has sparked controversy amongst Singaporean citizens as many responded negatively to the revelation, with an online petition calling for the termination of the technology garnering 55,000 as of January 2021. (17)
Along with manual contact tracing efforts, the TraceTogether programme has helped identify 25,000 close contact COVID-19 cases. (18) Its effectiveness is due to its high adoption rate by Singaporean citizens, showing that controversy over the use of its data wasn’t largely impacted and these contract tracing apps have remained effective in combating the COVID-19 pandemic in Singapore.
As a result of the COVID-19 pandemic, many governments have taken unprecedented measures to ensure the safety of their citizens and to limit the spread of the virus. Hong Kong, New Zealand and Singapore have taken many measures that involve the use of their citizen’s locational data and information, such as contact tracing apps. By applying the privacy laws in their respective jurisdictions to the implementation of these data-led measures, it is concluded that these privacy laws were not violated in all three countries.
Although the privacy laws belonging to those jurisdictions were not breached, there are still existing reservations and distrust about these surveillance protocols. This includes controversy surrounding contact tracing apps amongst the people of Hong Kong due to the distrust of the local government and overall political climate, and the Singaporean government going against what was previously promised relating to the use of the data collected in the contact tracing apps causing massive controversy.
In terms of the effectiveness of these surveillance protocols, Singapore’s contract tracing apps were proven to be effective while Hong Kong and New Zealand’s surveillance protocols don’t seem to have a significant role in combating the virus, or it is just difficult to determine their impacts due to other relief strategies such as closing borders and vaccination. Despite the debate on the overall effectiveness of these protocols, these surveillance protocols can offer a slight reassurance to the government that the virus is able to be monitored to a degree.
In conclusion, data privacy is an important human right, however at a time like the COVID-19 pandemic, it is legally acceptable for governments to take such measures for the safety and health of their people.
- ‘Privacy Laws definition’ (Law Insider) <https://www.lawinsider.com/dictionary/privacy-laws>
- ‘What Is Invasion of Privacy?’ (FindLaw) <https://www.findlaw.com/injury/torts-and-personal-injuries/what-is-invasion-of-privacy-.html> date accessed 27 December 2019
- ‘Our Legal System’ (Department of Justice) <https://www.doj.gov.hk/en/our_legal_system/index.html>accessed 9 November 2020
- Elizabeth Cheung, ‘China coronavirus: death toll almost doubles in one day as Hong Kong reports its first two cases’ (South China Morning Post, 22 January 2020) <m/news/hong-kong/health-environment/article/3047193/china-coronavirus-first-case-confirmed-hong-kong>accessed 22 January 2020
- ‘Coronavirus Disease (COVID-19) in HK’ <https://www.coronavirus.gov.hk/eng/index.html>
- ‘The Personal Data (Privacy) Ordinance’ (Office of the Privacy Commissioner for Personal Data, Hong Kong) <https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html>
- ‘Cap. 486 Personal Data (Privacy) Ordinance’ (Hong Kong e-Legislation) <https://www.elegislation.gov.hk/hk/cap486?pmc=1&m=1&pm=0>
- ‘LeaveHomeSafe’ <https://www.leavehomesafe.gov.hk/en/> accessed 31 August 2021
- ‘StayHomeSafe’ Mobile App User Guide’ (The Government of the Hong Kong Special Administrative Region) <https://www.coronavirus.gov.hk/eng/stay-home-safe.html> accessed 31 August 2021
- ‘The Use of Information on Social Media for Tracking Potential Carriers of COVID-19’ (Office of the Privacy Commissioner for Personal Data, Hong Kong) <https://www.pcpd.org.hk/english/news_events/media_statements/press_20200226.html> accessed 26 February 2020
- Cookiebot, ‘New Zealand’s Privacy Act 2020 | Compliance with Cookiebot CMP’ (Cookiebot, 23 February 2021) <https://www.cookiebot.com/en/new-zealand/?gclid=EAIaIQobChMIsqiw5ZGs8gIV4oBQBh1TPQs7EAAYASAAEgLozfD_BwE> accessed 13 August 2021
- Ministry of health, ‘COVID-19: Current cases’ (Ministry of Health, 13 August 2021) <https://www.health.govt.nz/our-work/diseases-and-conditions/COVID-19-novel-coronavirus/COVID-19-data-and-statistics/COVID-19-current-cases> accessed 13 August 2021
- ‘Our Legal System’ (Ministry of Law Singapore) <https://www.mlaw.gov.sg/about-us/our-legal-system/> date accessed 21 June 2018
- ‘Personal Data Protection Act’ (Singapore Statutes Online) <https://sso.agc.gov.sg/Act/PDPA2012> date accessed 22 January 2022
- ‘Personal Data & Data Protection in Singapore (PDPA)’ (National University Singapore) <https://nus.edu.sg/ormc/compliance/personal-data-protection-at-nus/data-data-protection-in-singapore-(pdpa)>
- ‘Contract tracing’ (gobusiness Singapore) <https://www.gobusiness.gov.sg/safemanagement/safeentry/>
- Andreas Illmer, ‘Singapore reveals Covid privacy data available to police’ (BBC News, Singapore 5 January 2021) <https://www.bbc.com/news/world-asia-55541001> accessed 5 January 2021
- ‘Effectiveness and Utilisation of TraceTogether’ (Ministry of Health Singapore_ <https://www.moh.gov.sg/news-highlights/details/effectiveness-and-utilisation-of-tracetogether#:~:text=1.,been%20possible%20with%20manual%20tracing.> accessed 2 November 2020